This article details the troubleshooting steps for LANDESK Device Control.
- LANDESK Device Control Installation
- Important Files in LANDESK Device Control
- Reset Known volumes
- Items to gather and send to the LANDESK Support technician:
LANDESK Device control uses settings defined in .XML files called "behavior files", in the same way that Agent Behavior or Scan and Repair settings use behavior files.
LANDESK Device Control Installation
In order for LANDESK Device Control to be installed on a device, the following must occur.
1. Endpoint Security must be checked as a component in the Agent Configuration - Start - Agent Components to install section.
2. The proper Endpoint Security setting must be selected in the Agent Configuration - Security and Compliance - Endpoint Security - Machine Configuration section.
3. Within the selected Endpoint Security Setting, Device Control must be selected as one of the Security Policies to install.
Note: If the Agent was installed without Endpoint Security, Endpoint Security can be installed later by pushing an "Install/Update Security Configurations" task from the Security Configurations Tool "Create a Task" drop-down.
Important Files in LANDESK Device Control
Files within LDCLIENT\HIPS directory:
DCM.LOG : Device Control Manager Device Log file
DCMVOLUMES.LOG : Device Control Manager Volumes Log file
DCM.XML : Device Control Manager behavior file.
Files within \Documents And Settings\All Users\Application Data\LDSEC directory (Prior to Windows Vista) or \ProgramData\LDSEC directory (Vista and later)
BVD.RPT - File used for display of data within client EPS gui.
LDSECSVC-DCM-DEBUG.LOG - Debug log for Device Control Manager
HIPSCLIENTCONFIG-HIPS-debug.log - Log file for HIPSCLIENTCONFIG.EXE
This program is used when installing Endpoint Security
Files within \Documents And Settings\All Users\Application Data\Vulscan directory (Prior to Windows Vista) or \ProgramData\Vulscan directory (Vista and later)
HipsBehavior_(CoreServerName)_ID#.XML - Mainly contains Trusted Location information for HIPS and LANDESK Firewall
HipsBehavior_(CoreServerName)_ID#.ZIP - .ZIP file containing all Endpoint Security behavior .XML files.
ActionHistory.(ClientIPAddress).sent.#.xml - Action history sent from client to the core.
vulscan.log or vulscan.#.log - useful for troubleshooting installation, change settings
softmon.log - logs ActionHistory activity for actions sent to core by the Softmon process
Important Registry Keys
Settings - Current EPS settings.
Known Volumes - Volumes that were present at the time of the DCM policy installation. These should be excluded from the volume policy.
Reset Known volumes
This will reset the list of volumes that are listed as allowed by EPS. You would reset a known volume in the instance that you deployed an EPS configuration yet an undesired volume (such as an external USB hard drive) was plugged in at time of install. This will automatically add this drive to the "known volumes" list, thus it will be allowed even if a volume restriction policy is in the EPS configuration.
- Push out an agent configuration that Allows all volumes. This will reset the known volumes list.
- You can then push out the final Agent Configuration with the desired volume restrictions and exceptions.
- From the command prompt type "sc.exe control ldsecsvc 130"
General Troubleshooting steps
- Are the Device Control Settings on the core server configured correctly for the expected outcome?
- Check the Device Control Settings in the Security Configurations Tool on the Core Server)
- Make sure you are looking in the correct group - My, Public or All
- Make a note of the ID #, Name, and Revision # for the Device Control Setting
- Do the Device Control Settings match what is listed on the Core Server?
- Check which Endpoint Security setting is active on the client
Look in the registry at: HKLM\Software\LANDESK\ManagementSuite\WinClient\Vulscan
Does the Behavior ID, Name and Revision match the core setting? (If different, run Vulscan /changesettings /showui)
Within the DCM.XML file in the LDCLIENT\HIPS directory, do the settings match what is expected?
- Examine the log files (DCM.LOG and DCMVOLUMES.LOG in LDCLIENT\HIPS) (Best way to gather is by turning on debug logging)
- Do any of the ActionHistory.(ClientIPAddress).ID#.sent.xml files that contains the action expected?
If not, duplicate the failure again and check the ActionHistory XML files.
How actions are sent from the Client to the core server
Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file. If no further activity takes place within 2 minutes, Softmon will send this information to the core server. Otherwise every time Vulscan runs, it gathers the ActionHistory information and sends it to the core server. This ActionHistory information gets stored in the HIPSAction table in the database and is displayed in the Security Activity window. After the ActionHistory is sent, the .XML is renamed to .SENT.XML. 11 copies of this file are kept on the client. .sent and then .sent #'s 1-10.
If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
If ActionHistory is sent via Softmon, this is logged in the Softmon.log file
Items to gather and send to the LANDESK Support technician:
1. GetSystemInfo Report
2. Debug Logs
3. Exported Security Configuration Settings
4. If issue is a blue screen, gather a Kernel Mode Memory dump
Instructions for gathering this information follows:
Gather a GetSystemInfo report
The GetSystemInfo gathers details information about a computer, including hardware information, operating systems, drivers, installed, software, etc. This utility can be very useful for determining the cause of certain issues.
For Windows Workstation/Server
1. Run GetSystemInfo.exe on the computers with the problem.
2. Click the button Create report in the right part of the main window.
3. Wait until the utility has completely scanned the system.
4. Click OK to confirm the creation of a report.
A file will be created with the default name GetSystemInfo_<USER>_YYYY_MM_DD.zip.
Attach this report to your created case, or e-mail it to your LANDESK Support technician.
Turning on Debug Logging within LANDESK Endpoint Security
(For a video example of this process, see the GatherDebugLogs.zip attachment to this article)
The easiest way to gather all of the useful log and behavior files is to turn on debug logging. This will collect all files and compile them into a .CAB file on the desktop.
The following steps must be taken when gathering HIPS debug logs for LDMS 9.5:
- On the affected client right-click the Endpoint Security system tray icon and select "Open"
- In the LANDESK Endpoint Security window, click on the "Options" button in the top right, it looks like a wrench and screwdriver crossing.
- In the Options window, click on the "Troubleshooting Logs: Disabled" link at the bottom of the window. It will switch to "Troubleshooting Logs: Enabled"
- Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.
- Go to the Options window and click on the "Troubleshooting Logs: Enabled" link, it will switch back to "Disabled" and you will see a script run that automatically copies all the needed troubleshooting logs to the desktop into the "Logs.cab" and "Logs.def" files.
The following steps must be taken when gathering HIPS debug logs for LDMS 9.0:
1. Create the following DWORD registry key on the affected client:
"HKLM\Software\LANDESK\HIPS\Settings\DebugLevel" set to: 0xffffffff (enter 0xfffffff by clicking "Hexidecimal" and entering "F" eight times)
2. Right-click the Endpoint Security system tray icon and select "Stop services"
3. Run Endpoint Security again by clicking the "LANDESK Endpoint Security" icon from within the "LANDESK Management" program group.
4. Within the Endpoint Security GUI you should now have a blue "Collect debug logs" link at the top of the "Status" main pane.
5. Duplicate the issue that you wish to capture in the logs. If this requires a reboot, reboot at this time.
6. Click the "Collect debug logs" link in the EPS GUI.
This will compile the following files and place them in a "Logs.cab" on the desktop.
C:\Documents and Settings\All Users\Application Data\LDSec\*.*, C:\Documents and Settings\All Users\Application Data\Vulscan\ActionHistory*.xml
Windows Vista and higher:
C:\ProgramData\LDSec*.*, C:\ProgramData\vulscan\ActionHistory*.xmlLDClient\HIPS\*.log, *.xml, *.def, *.idx
If the problem is a Blue Screen, collect a Kernel Memory Dump
1. Right-click "My computer" and choose "Properties"
2. Go to the "Advanced" tab and then click "Settings" under "Startup and Recovery"
3. Under the "System failure" section under "Write debugging information" click the drop-down and select "Kernel memory dump".
4. Make note of the path that the MEMORY.DMP file will be saved to.
5. Duplicate the blue screen issue and then collect the MEMORY.DMP file and compress it in a .ZIP file.
A kernel memory dump must be supplied, a mini memory dump does not supply sufficient information.
Summary of items gathered:
The following is the list of files to be supplied to the Support Technician:
GetSystemInfo_Computername_Username_Date_time.zip – From GetSystemInfo
Logs.cab - From "Gather Debug Logs"
Endpoint Security Settings ##.ldms - From exporting the Endpoint Security Setting
(Note, this filename will differ based on what you have named the setting)
Device Control Setting ##.ldms - From exporting the Device Control Setting
(Note, this filename will differ based on what you have named the setting)
MEMORY.DMP - If issue was a bluescreen and you have gathered a Kernel memory dump
MEMORY.DMP will likely be too large to attach to an e-mail.
If this is the case, name your .ZIP file of MEMORY.DMP to "LANDESK Case # Memory Dump.zip" and upload to ftp://ftp.landesk.com/incoming